hxxp://Samsung[.]com/tetherwdautomotion

General

Target

http://Samsung.com/tetherwdautomotion

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30979006"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "574610684"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30979006"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "367721749"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30979006"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a56a2abeb3d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4CBAE039-1FB1-11ED-9767-EE61E14624D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "570862349"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071970fb893d695499343397d1df5287d000000000200000000001066000000010000200000003bd49d52c10a2dca74371efad42bcb8b55c603ffc54104265b981de05fd9eba5000000000e800000000200002000000097b9c13fb24a79729e02bbf57c9e35e9b18156c3d51250f67320a4a2507d4373200000002bdcc9e0afc9914066a6848fb4b0c11e665fc1f2946281bf4845de5e4f7ab10740000000b7610f63fac33dd6dfda4e5bc31bd8dcccf4a6bf1eb2fcd3bef112374ad70c1b6d973327824fb8ecebd7b5fceb6c93c01a84605acbc5f6b549bca37fe315f27f	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "367673163"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30979006"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "574610684"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "367689759"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "571017774"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071970fb893d695499343397d1df5287d000000000200000000001066000000010000200000005ffd44503ba81e42e11f7bdc28fb2bd5721b0040ec12426301b6c78e5c95082a000000000e800000000200002000000072b32b6bc73b5971ecb6548573a55ed5c59f9b2d900553e1728091a4120b26d62000000024d171b845a6e770a82a5b243a51dd5cc1e9270aa136214348319c17fb4e24c840000000bd6fced3533ce74a2141874622ea2d6894082032020391278a728efe750180d2c5aa0ba3d9904bca2dead50b86a7cb101b2c60ec21af50ca09caf8506d6911e7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2600230786-2767877416-126655653-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60166d2abeb3d801	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2484 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2484 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2484 iexplore.exe
2484 iexplore.exe
2716 IEXPLORE.EXE
2716 IEXPLORE.EXE
2716 IEXPLORE.EXE
2716 IEXPLORE.EXE

pid	process
2484	iexplore.exe

pid	process
2484	iexplore.exe

pid	process
2484	iexplore.exe
2484	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2484 wrote to memory of 2716	2484	iexplore.exe	IEXPLORE.EXE
PID 2484 wrote to memory of 2716	2484	iexplore.exe	IEXPLORE.EXE
PID 2484 wrote to memory of 2716	2484	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://Samsung.com/tetherwdautomotion
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
db32742b18ca6c7120bc81a7c6f8d71e

SHA1
89cc1b9871527e09e176ccc6f4849e33311e936c

SHA256
c0d6f583141d82ffdea54806b4fb803b17f902c278f76f7d00a345c4f2997b89

SHA512
ba22c4a611025c68722ffd47e13579e974683ddb13900ea88e325b1014104fa29a2507ad89d30ae4913659c664b447147fba1cfa87497be87897fe4b3c5f65eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
7ea17a13eeacbea94485eda15d27fb59

SHA1
dc43fda24fbb4e38ad25aed4798fb59114dafd6c

SHA256
8ed5eef32496ee50b2e2daca6ff0874b43dba9e79b99da0b4f117fa80bfa80d1

SHA512
d5f6eb1a08d2c433a47d3fafd675b76a3903bbec617ad607295d61fc3754ca41d6b5b3cbdd518e5be077dcac59b7eb600ed425482b2d3a16fcc15b2d8e4a0796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\10JC1AHN.cookie
Filesize
610B

MD5
c1755d978ca1d02085862ad83f6717c7

SHA1
df6b5aa6c4297e9388f350915fc9e1b034ba5119

SHA256
f56b75f98646b5f820a9ceefb2c7bf6ed977ddd7a44704af23e4e33d6f36d0f5

SHA512
75ac5fcbb430c8f5ed6929cbed4b57f5fd699b6d77d011325bc03c206c398ac7f39d39f2782e856e01c77edfb5dfed01b6d1ed2af877faba8fa10993f285aeb5

Download Submit

Analysis

Sharing